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Abstract 

Two  semantics  are  commonly  used  for  the  behavior  of  real-time  and  hybrid 
systems:  a  discrete  semantics,  in  which  the  temporal  evolution  is  represented 
as  a  sequence  of  snapshots  describing  the  state  of  the  system  at  certain  times, 
and  a  continuous  semantics,  in  which  the  temporal  evolution  is  represented  by 
a  series  of  time  intervals,  and  therefore  corresponds  more  closely  to  the  physical 
reality.  Powerful  verification  rules  are  known  for  temporal  logic  formulas  based 
on  the  discrete  semantics. 

This  paper  shows  how  to  transfer  the  verification  techniques  of  the  discrete 
semantics  to  the  continuous  one.  We  show  that  if  a  temporal  logic  formula  has 
the  property  of  finite  variability,  its  validity  in  the  discrete  semantics  implies 
its  validity  in  the  continuous  one.  This  leads  to  a  verification  method  based  on 
three  components:  verification  rules  for  the  discrete  semantics,  axioms  about 
time,  and  some  temporal  reasoning  to  bring  the  results  together.  This  approach 
enables  the  verification  of  properties  of  real-time  and  hybrid  systems  with  respect 
to  the  continuous  semantics. 
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the  Defense  Advanced  Research  Projects  Agency  under  contract  NAG2-892,  and,  by  the  United  States  Air 
Force  OflSce  of  Scientific  Research  under  contract  F49620-93-1-0139. 
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1  Introduction 


In  order  to  use  temporal  logic  to  specify  and  verify  properties  of  real-time  and  hybrid 
systems,  some  semantics  must  be  chosen  for  the  temporal  behavior  of  the  systems.  There 
are  two  common  choices  [2,  18].  The  first  is  a  continuous  semantics,  in  which  the  system 
evolution  is  represented  by  a  series  of  time  intervals,  together  with  a  mapping  that  associates 
to  each  point  in  time  a  state  of  the  system.  The  second  is  a  discrete  semantics,  in  which  the 
temporal  evolution  of  the  system  is  represented  as  an  enumerable  sequence  of  snapshots, 
each  describing  the  state  of  the  system  at  a  certain  time.  Each  of  these  semantics  has  its 
advcintages  and  weaknesses. 

The  continuous  semantics  corresponds  closely  to  the  physical  behavior  of  the  system  [8, 
18].  System  specifications  describe  the  physical  behavior,  and  therefore  refer  more  directly 
to  the  continuous  semantics  than  to  the  discrete  one. 

The  discrete  semantics  enables  the  use  of  powerful  verification  rules  to  draw  conclusions 
about  the  behavior  of  the  system  firom  premisses  about  its  structure  [6,  20].  The  proof  of  the 
soundness  of  these  rules  depends  in  an  essential  way  on  the  discreteness  of  the  semantics, 
and  in  particular  on  reasoning  by  induction  on  the  enumerable  sequence  of  states.  On  the 
other  hand,  the  discrete  semantics  corresponds  less  directly  to  the  physical  behavior  of  the 
system,  and  its  relevance  is  in  its  relationship  to  the  continuous  semantics  [8]. 

This  paper  shows  that  the  advantages  of  the  discrete  semantics  can  be  transferred  to 
the  continuous  one.  We  show  that  if  a  temporal  logic  formula  has  the  property  of  finite 
variability,  its  validity  in  the  discrete  semantics  implies  its  validity  in  the  continuous  one. 
Most  of  the  formulas  that  arise  in  practice  have  this  property,  and  we  give  a  series  of  simple 
criteria  to  characterize  them. 

This  allows  us  to  adapt  the  verification  rules  for  temporal  logic  on  the  discrete  semantics 
to  the  continuous  one:  if  the  conclusion  of  the  verification  rule  is  a  formula  with  the  finite 
variability  property,  it  will  also  holds  in  the  continuous  semantics.  In  this  way,  we  are 
spared  the  work  of  devising  new  verification  rules  for  the  continuous  semantics. 

We  therefore  propose  a  recipe  for  the  verification  of  temporal  logic  properties  of  real¬ 
time  and  hybrid  systems  that  consists  of  three  ingredients:  verification  rules  coming  from 
the  discrete  semantics,  axioms  stating  some  basic  properties  of  time,  and  a  small  amount 
of  temporal  reasoning  to  bring  the  two  together.  Temporal  reasoning  in  the  continuous 
semantics  can  be  kept  to  a  minimum,  if  desired. 

In  our  representation,  we  follow  closely  the  approach  of  [20],  modeling  real-time  and 
hybrid  systems  by  timed  and  phase  transition  systems  respectively,  and  using  a  temporal 
logic  containing  both  explicit  time  and  age  functions.  As  clocks  are  closely  related  to  age 
functions,  the  results  can  be  easily  transferred  to  logics  that  use  clocks  as  the  basic  timing 
construct. 

We  first  present  the  case  for  real-time  systems  in  some  detail,  and  then  we  show  the 
changes  needed  to  adapt  the  results  to  hybrid  systems. 
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2  Real-Time  Systems 

Real-time  systems  will  be  modeled  by  timed  transition  systems  [7,  18].  A  timed  transition 
system  S'  =  {V,'L,@,T,L,U)  consists  of  the  following  components. 

1.  A  set  V  of  variables  called  state  variables,  each  with  its  type. 

2.  A  set  S  of  states:  each  state  s  G  S  is  a  type-consistent  interpretation  of  all  the 
variables  in  V:  we  indicate  with  s(a:)  the  value  at  state  s  of  x,  for  x  6  V. 

3.  A  set  ©  C  E  of  initial  states.  ©  has  an  associated  assertion  ©/(V),  such  that  ©  = 

{s  I  s  j=  ©/},  where  s  interprets  x  G  V  as  s(x). 

4.  A  set  T  of  transitions,  where  r  C  S  x  E  for  all  r  E  T.  Each  transition  r  G  7”  has 
an  associated  assertion  prCV,  V')  such  that  r  =  {(s,s')  |  {s,s')  f=  pr},  where  {s,s') 
interprets  x  €  V  as  s(x)  and  x'  as  s'{x). 

5.  Two  sets  L,  U  of  minimum  and  maximum  delays  of  transitions.  For  all  r  G  T  it  is 
0  <It  <Ur  <  oo. 

We  denote  with  cv  the  enabUng  condition  of  transition  r,  defined  by  (v  =  {s  |  3s'.(s,  s')  G  r}. 
For  simplicity,  we  will  assume  that  transitions  are  self-disabling:  (s,  s')  E  r  s'  ^  Cr- 
The  temporal  behavior  of  a  real-time  system  will  be  represented  by  traces.  Correspond¬ 
ing  to  the  discrete  and  the  continuous  views  of  the  semantics,  the  formal  representation  of 
the  behavior  is  given  in  terms  of  discrete  and  continuous  traces. 

2.1  Discrete  Semantics 

In  the  discrete  semantics,  each  behavior  is  represented  by  a  discrete  trace,  which  is  an 
enumerable  sequence  of  observations.  Each  observation  is  a  pair  consisting  of  a  snapshot 
of  the  system  state  and  a  timestamp  indicating  the  time  at  which  the  snapshot  was  taken 
[8,  18,  7,  20]. 

Definition  1  (discrete  trace)  A  discrete  trace  aa  is  an  enumerable  sequence  of  observa¬ 
tions  {sQ,to),  (si,ti),  {s2,t2),  ■  ■ .,  with  Sji  G  S,  G  H'*'  for  n  G  IN,  such  that 

<0  =  0,  Tim  <n  =  oo,  Vn  G  IN  :  <n  <  <n-n- 

n-400 

A  position  of  a  trace  is  simply  an  integer  n  G  IN.  .  If  a  trace  represents  a  possible  behavior 
of  a  system,  we  say  that  the  system  admits  the  trace. 

Definition  2  (admission,  discrete  traces)  A  timed  transition  system  S  admits  a  dis¬ 
crete  trace  ad:  (5o,to),  (52,^2);  •••;  written  S  >  ad,  if  the  following  conditions  are 

satisfied. 

1.  All  the  state  changes  are  due  to  transitions  that  have  been  enabled  at  least  for  their 
minimum  delay:  for  all  n  E  IN, 

Sn  ==  5n-f-lV  tn  =  tn+lA3r  E  T  (^n^^n+l)  ^  T A^k  <  uAtk  >  tn^lr  G  ^]jj- 
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2.  Transitions  are  never  enabled  for  longer  than  their  maximum  delay:  for  all  r  £  T, 
n,k  eJN  with  k  >  n, 

tk-tn<UTy  3j  [n  <  j  <  fc  A  Sfc  0  cv] . 

2.2  Continuous  Semantics 

In  the  continuous  semantics,  the  behavior  of  the  system  is  represented  by  a  mapping  from 
intervals  of  time  to  states  of  the  system,  and  time  is  modelled  by  the  set  of  real  numbers.  A 
trace  is  no  more  a  sequence  of  snapshots,  but  a  continuous  representation  of  the  evolution 
of  the  state  of  the  system.  Here,  the  word  “continuous”  is  used  in  a  different  way  than  in 
calculus;  it  means  that  there  are  no  gaps  in  the  temporal  description  of  the  systems,  such 
as  the  gaps  between  snapshots  of  the  discrete  semantics.  It  is  this  absence  of  gaps  that 
makes  the  continuous  semantics  closer  to  physical  reality. 

Formally,  a  continuous  trace  is  a  sequence  of  pairs  consisting  of  a  state  of  the  system  and 
an  interval  of  time  spent  by  the  system  in  that  state.  The  intervals  of  time  can  overlap  at 
most  at  the  endpoints  [8,  10,  2].  This  semantics  closely  resembles  the  superdense  semantics 
of  [18].  If  A  is  a  linearly  ordered  set,  we  will  indicate  with  Int>i  the  set  of  intervals  (i.e. 
convex  sets)  of  A. 

Definition  3  (continuous  trace)  A  continuous  trace  Oc  is  a  sequence  of  pairs  Oc-  (ro,Io}, 
(’'!)  -fi)?  (^2, -h),  ■■  ■ ,  with  In  G  IntjR  and  €  S  for  all  n  G  IN,  such  that: 

Vn(sup/„  =  inf In+i),  U 

nelN 

A  continuous  trace  is  closed  if  all  its  intervals  Iq,  /j,  I2,  ...  are;  it  is  open  otherwise. 

Definition  4  (moment)  A  moment  of  a  trace  Oc-  (ro,/o),  (ri,/i),  {r2,l2),  •••  is  a  pair 
(n,  t)  such  that  t  E  In  [18]  •  Th^  ordering  <  of  moments  is  the  expected  one: 

{n,t)  <  {n',t')  iff  n  <  n' V  (n  =  n' At  <t'). 

In  the  following,  when  we  write  a  pair  (n,  t)  relative  to  a  trace  Oc  we  will  always  assume 
that  it  is  a  moment  of  ob-  We  give  the  definition  of  admission  only  for  closed  traces.  We 
define  I^  =  inf  J^,  I^  =  supln-  The  definition  of  admission  is  then  similar  to  the  one 
given  for  discrete  traces. 

Definition  5  (admission,  continuous  traces)  We  say  that  a  timed  transition  system  S 
admits  a  trace  <Tc:  (ro,io}>  (Hs-fi)?  (J'2jl2}>  •••  if  <^c  is  closed,  and  the  following  conditions 
are  satisfied. 

1.  All  the  state  changes  are  due  to  transitions  that  have  been  enabled  at  least  for  their 
minimum  delay:  for  all  n  G  IN, 

rn  =  Tn+i  V  3t  G  T  (r„,  Tn+i)  G  T  A  VA:  <  n  A  7;^  >  If^  -  Ir r^  E 

2.  Transitions  are  never  enabled  for  longer  than  their  maximum  delay:  for  all  r  E  T, 
n.  A:  G  IN  with  k>n, 

I'k  -It  <  V  3j  [n  <  j  <  A:  A r*  ^  Cr] . 
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3  Temporal  Logic 

To  express  temporal  properties  of  the  behavior  of  the  system,  we  use  a  multi-sorted  temporal 
logic  similar  to  the  one  proposed  in  [5,  6,  20]. 

Syntax.  Our  language  contains  flexible  and  rigid  constcuits,  rigid  variables,  rigid  function 
symbols  and  predicates,  the  propositional  connectives  the  future  temporal  operators 

□,  1/  and  the  past  ones  B,  S ,  and  the  symbols  =  for  equahty  and  V  for  quantification. 
Prom  this  basic  set  of  symbols,  additional  ones  can  be  defined  as  usual.  Note  that  there  is 
no  next-time  O  operator  in  the  logic. 

The  variables  of  the  logic  are  rigid,  meaning  that  they  have  the  same  value  at  all  times; 
‘thus,  quantification  is  allowed  on  rigid  variables  only  [4].  The  state  variables  of  the  system, 
whose  value  can  change  in  time,  are  represented  instead  by  flexible  constants.  This  is 
different  from  the  approach  followed  by  [19],  where  quantification  is  allowed  also  on  flexible 
variables,  and  where  flexible  variables  (instead  of  flexible  constants)  are  used  to  represent 
the  state  variables  of  the  system.  The  approach  followed  here  is  such  that  a  trace  of  the 
system  will  determine  the  model,  and  the  variable  assignment  is  used  to  deal  with  variables 
and  quantification.  To  avoid  confusion,  for  the  rigid  variables  of  the  logic  we  use  greek 
letters  like  C,  and  for  the  flexible  state  variables  of  the  system  latin  ones  like  x,  y. 

Our  language  also  contains  the  special  flexible  constant  T  of  type  real,  whose  value 
represents  the  time,  and  the  interpreted  predicate  <  over  the  reals.  Moreover,  the  language 
includes  the  age  function  P.  For  a  formula  d>,  the  term  r(0)  indicates  the  length  of  the 
most  recent  interval  in  which  <f>  has  been  continuously  true  [20].  We  will  assume  that  the 
argument  <t>  of  r{4>)  does  not  contain  occurrences  T  or  nested  age  functions. 

Semantics.  The  truth  of  temporal  logic  formulas  is  evaluated  with  respect  to  a  model  M. 
and  a  variable  assignment  X.  A  model  M  =  (W,  <,a)  is  composed  of  a  firame  X'  =  (W,  <) 
and  an  assignment  function  a.  The  firame  is  a  set  W  of  worlds  together  with  a  relation  of 
reflexive  linear  order  <.  Each  world  represents  an  instant  of  time,  and  the  order  relation  < 
represents  the  temporal  succession  of  worlds.  We  assume  that  there  is  a  least  world  in 
the  ordering,  called  the  initial  world. 

The  function  a  is  a  type-consistent  assignment  of  values  to  predicates,  functions  and 
constants.  We  indicate  with  a{w){ot)  the  value  of  the  symbol  a  at  world  w  €  W.  The 
assignment  to  rigid  symbols  does  not  depend  on  the  world  w. 

We  indicate  with  X,  M.  |=u,  <!>  the  fact  that  the  formula  (p  is  true  at  world  w  of  model 
M  with  variable  assignment  X.  Truth  is  computed  by  induction  on  the  structure  of  (p  in 
the  usual  way;  as  an  example,  the  cases  for  □  and  V  are: 

X,  M  |=u;  U(p  iff  Vio'  eW  ■.w<w'-^X,M  |=u,'  (p, 

X,M\=v,\l^<P  iff  \fdED^:X[d/^],M\=^<P, 

where  is  the  domain  corresponding  to  the  type  of  and  X[d/^]  is  the  variable  assignment 
obtained  from  X  by  assigning  the  value  d  to 
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Temporal  logic  and  traces.  We  can  use  temporal  logic  to  specify  properties  of  traces 
by  associating  a  model  to  each  trace.  We  assume  that  functions  and  predicates  have  some 
predefined  assignment. 

To  the  discrete  trace  cr^:  (soi^o))  {s2,i2),  ■■■  we  associate  the  model  = 

(IN,  <,  where  0^^  is  the  assignment  defined  by,  for  a:  G  V  and  n  G  IN: 

a(n)(a:)  =  s„(a:),  a(n)(T)  =  f„. 

Instead  of  X,  we  will  usually  write  X,  Od  4>- 

In  the  model  corresponding  to  a  continuous  trace  ob:  (ro,  Jo))  (’’i)  Ji))  (»'2)  J2))  •  •  • ) 
we  take  as  frame  (W,  <)  the  set  of  moments  of  ob  together  with  their  linear  ordering;  the 
initial  world  is  (0, 0).  The  assignment  is  then  defined,  for  x  G  V  and  n  G  IN,  by 

a{n,t){x)  =  r„(x),  a{n,t){t)  =  t. 

Agmn,  we  usually  write  X,  ob  |=(n,t)  <l>  instead  of  X,  Ma-c  N(n,t)  4>- 

We  can  thus  define  two  temporal  logics:  TLp  over  discrete  traces,  and  TLc  over  con¬ 
tinuous  ones.  A  formula  <j)  is  valid  in  TLp,  written  (^,  if  X,  Cd  Nn  ^  for  all  X,  o^,  n. 
Similarly,  0  is  valid  in  TLc,  written  [=  if  X,  ob  N(n,t)  for  sdl  X,  all  ob,  and  all  moments 
(n,  t)  of  Ob.  In  general,  if  one  or  more  of  the  symbols  X,  a,  w  are  omitted  from  X,  <7  4>, 

the  truth  of  ^  is  required  for  all  possible  values  of  the  omitted  symbols. 

Thus,  ^  (f)  means  that  is  true  in  all  the  worlds  of  all  the  models.  This  semantics  is 
called  floating  semantics^  and  is  different  from  the  anchored  semantics  presented  in  [19],  in 
which  ^  <j)  means  that  <t>  is  true  in  the  first  world  of  all  models.  This  semantics  has  been 
chosen  as  it  has  simpler  proof-theoretical  properties,  in  the  absence  of  a  next-time  operator. 

We  can  also  define  the  validity  of  formulas  with  respect  to  a  system  S  by  restricting  the 
set  of  traces  considered  in  the  above  definitions  to  those  admitted  by  S.  Correspondingly, 
we  have  the  notions  of  a  formula  (j>  being  5-valid  in  TLp  or  TLc,  indicated  respectively 
with  4>,S  <t>- 


3.1  Specification  and  Verification 

The  logics  TLp  and  TLc  have  different  properties,  reflecting  the  difference  in  the  two 
underlying  semantics. 

♦ 

Example  1  (density  of  time)  The  two  logics  TLp,  TLc  have  different  sets  of  valid 
formulas.  For  example,  the  formula 


</>:  V^VC  [o(T  =  e)AO(T  =  C)->o(T=i-±^) 


expressing  the  density  of  time  is  such  that  |=  (j),  [=°  -«f>. 


While  the  continuous  semantics  corresponds  closely  to  the  physical  behavior  of  the 
system,  the  discrete  semantics  gives  only  an  approximate  description  in  terms  of  a  series  of 
snapshots.  System  specifications,  being  ultimately  a  specification  of  the  physical  behavior, 
can  be  more  faithfully  expressed  in  the  continuous  semantics.  For  hybrid  systems  this  is 
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even  truer,  as  the  state  can  change  continuously  in  time  and  continuous  changes  axe  not 
represented  in  the  discrete  semantics  [18]. 

However,  the  verification  of  the  properties  of  a  system  is  simpler  in  the  discrete  se¬ 
mantics.  The  methods  proposed  in  [7,  18,  20]  to  verify  properties  written  in  TLd  rely  on 
two  concepts:  verification  conditions  and  verification  rules.  If  4>  and  ^  are  cirbitrary  past 
formulas,  that  is,  formulas  not  containing  future  temporal  operators,  it  is  possible  to  define 
the  verification  conditions  {(j)}  r  {rj)},  {fi)  tick  {^}  having  the  following  intuitive  readings. 

{4>)  T  {tp}:  if  (f>  is  true,  and  the  transition  r  can  be  taken,  tp  will  be  true  in  the  resulting 
state. 

{(p}  tick  {tp}-.  if  <p  is  true,  and  the  time  advances,  xp  will  be  true  in  the  resulting  state. 

The  verification  conditions  allow  in  turn  the  statement  of  verification  rules  that  relate  the 
structure  of  the  system  to  its  temporal  properties.  An  example  of  verification  rule  is  the 
ubiquitous  invariance  rule: 

5  {{<P]  r  S  {cP}  tick  {d>} 

S  (p  0(p 

The  proof  of  the  soundness  of  the  verification  conditions  and  of  the  verification  rules  makes 
an  essential  use  of  the  discreteness  of  the  semantics,  so  that  the  approach  cannot  be  easily 
transferred  to  the  continuous  semantics. 

3.2  Verification  in  the  Continuous  Semcintics 

In  this  paper  we  will  show  how  the  advantages  of  the  discrete  semantics  can  be  transferred 
to  the  continuous  one.  The  key  idea  consists  in  defining  a  property,  finite  variability,  or 
FV,  and  showing  that  if  <p  is  FV,  then  S  \=  <p  impUes  S  \=  (p. 

To  verify  that  a  system  satisfies  a  specification  written  in  TLc,  we  therefore  propose  a 
methodology  consisting  of  three  main  ingredients. 

The  first  one  consists  in  the  use  of  verification  rules  for  TLp,  whose  conclusion  can  be 
transferred  to  TLc-  This  will  enable  us  to  go  from  the  description  of  the  structure  of  the 
system  in  terms  of  transitions  to  the  properties  it  satisfies,  expressed  in  temporal  logic. 

The  second  one  is  a  series  of  axioms  about  time.  These  axioms  state  properties  that  are 
at  the  same  time  fundamental  and  not  derivable  in  TLd- 

The  third  ingredient  is  a  deductive  system  for  TLc-  This  will  enable  us  to  bring  together 
the  results  of  the  verification  in  TLd  and  of  the  axioms  about  time,  leading  to  the  desired 
real-time  properties  of  a  system.  If  it  is  desired,  temporal  reasoning  in  TLc  can  often  be 
kept  to  a  minimum. 

A  related  approach  to  proving  5  |=  has  been  proposed  in  [8]  for  similar  semantics  amd 
logics.  It  consists  in  rephrasing  the  property  (p  into  a  form  cp'  better  suited  to  the  discrete 

semantics.  If  the  rephrasing  is  perfect,  then  5  f=  <p'  ■H’  S  ^  (p;  otherwise,  it  is  sometimes 

o  c 

possible  to  find  a  stronger  property  such  that  S  \=  (j>^  S  \=  In  [8]  it  is  explained 
how  to  rephrase  some  formulas,  and  how  to  approximate  others  with  stronger  conditions. 

Our  approach  extends  the  one  based  on  rephrasing  by  considering  general  formulas. 
Moreover,  since  temporal  reasoning  in  TLc  is  allowed,  we  can  prove  the  validity  of  formulas 
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that  have  no  useful  rephrasing.  Oxn  strategy  applies  also  to  hybrid  systems,  where  not  only 
time  but  also  other  parameters  of  the  state  of  the  system  can  vary  in  a  continuous  way. 

To  show  the  soundness  of  our  approach,  we  need  a  careful  analysis  of  the  relationship 
between  the  discrete  and  continuous  semantics,  to  which  we  will  now  turn  our  attention. 

4  From  Discrete  to  Continuous  Reasoning 

4.1  Refinement 

Each  behavior  of  the  system  can  be  represented  in  more  than  one  way  by  discrete  or  con¬ 
tinuous  traces,  corresponding  to  the  different  ways  of  sampling  the  state  of  the  system  in 
time. 

Example  2  The  two  discrete  traces 

0  1  2 
Od  :  (x=0,  t=0),  (x=l,  t=0},  {^=1,  <=10),  •  •  • 

aj  :  {x=0,<=0),(x=l,t=0),(x=l,t=5),(x=l,t=10),--- 

0  12  3 

intuitively  represent  the  same  behavior  of  the  system,  but  contains  one  more  sampling 
of  the  state  of  the  system,  (x=l,t=5).  I 

Specifically,  we  say  that  a  trace  is  a  refinement  of  another  if  it  has  been  obtained  by 
sampling  the  state  of  the  system  more  frequently  in  time  [15,  16,  2].  To  give  a  formal 
definition  of  refinement,  we  introduce  partitioning  functions,  that  are  closely  related  to  the 
event-stretching  functions  of  [13,  12]. 

Definition  6  (partitioning  function)  A  partitioning  function  p,  is  a  function  IN  IntjN 
such  that  the  intervals  Ho,  fxi,  fj,2  are  adjacent  and  disjoint.  Formally,  IJnelN  t^n  =  IN,  and 
Vn  €  IN  :  max  Hi  =  min  Hi+i  —  1- 

Intuitively,  a  trace  cr^:  (4,t2),  is  a  refinement  of  (so,<o),  (si,*i), 

{s2,t2),  ...  if  many  observations  of  aj  correspond  to  a  single  observation  of  od-  We  use  the 
partitioning  function  to  specify  the  correspondence:  all  the  pairs  {s'ptj)  with  j  €  Hi  will 
correspond  to  {si,ti).  Similarly,  if  ac-  (45 -^o),  (4>4)5  •••  is  a  refinement  of  ac- 

{’’Oflo),  (r2,l2),  ... ,  all  the  intervals  Ij  with  j  €  Hi  will  correspond  to  the  single 

interval  li. 

Definition  7  (refinement)  A  discrete  trace  (4,4),  (4)4),  (4)4),  a  refine¬ 

ment  of  ad:  {$0,  to),  (si,  ti),  (s2)  *2),  •••by  the  partitioning  function  h,  indicated  by  a^  Cd, 
if  for  all  i:  =  ti,  and  'ij  G  Hi  ■  4  = 

A  continuous  trace  ac:  (r'oJ'o),  {r[,I[),  (4,4),  is  a  refinement  of  Gc:  {roJo), 
(^1)4),  (^2)4),  •••  by  the  partitioning  function  h,  denoted  a^  h''  Ob,  if  for  all  i  G  IN.- 

=  U  4’  '^3  (j  €  /xj  -J.  4  =  Tj) . 
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(^C 


•- 

I 

I 

I 

I 


a:  =  0 


-^0 


X  =  0 


I'o 


t  =  0 


I 

•- 

I 

I 

I 

I 

4 

•- 


X=1 


j;  =  1 


t=i 


X  =  1 


t  =  2 


I 

-♦ 

I 

I 

I 


I 

1 


X  =  3 


X  =  3 


t  =  Vio 


I 


t  =  4 


Figure  1:  A  closed  continuous  trace  ob  and  one  of  its  open  refinements  ^  ob- 


Example  3  For  oa,  crj  as  in  Example  2,  we  have  o'^  aa  with  fio  =  {0},  =  {1,2}, 

=  {3},  ....  Figure  1  gives  an  example  of  refinement  of  continuous  computations.  I 

Note  that  the  definition  for  continuous  traces  is  independent  of  the  fact  that  the  trace 
is  closed  or  not.  In  the  following,  we  write  a  to  denote  a  generic  trace,  either  discrete  or 
continuous.  We  call  sample  equivalent  two  traces  that  have  a  common  refinement  [12]. 

Definition  8  (sample  equivalence)  Two  discrete  (resp.  continuous)  traces  a,  a'  are 
sample  equivalent,  written  cr  w  o',  if  there  is  a  discrete  (resp.-  continuous)  trace  a"  such 
that  a"  y  <y,  o"  y  <y'  ■ 

Two  sample  equivalent  traces  are  two  different  representations  of  the  same  behavior  of 
the  system.  It  is  no  surprise  then  that  we  have  the  foDowing  theorem,  stating  that  systems 
do  not  distinguish  between  sample  equivalent  traces  [15,  16]. 

Theorem  1  Ifcd^  <^d>  S>ad  iff  Sxr^.  If  Cc  and  a),  are  both  closed,  and  ob  «  cri,  then 
S>aciffS>a),. 

In  fact,  it  could  be  argued  that  a  better  representation  of  the  behavior  of  the  system 
can  be  obtained  by  considering  equivalence  classes  of  admitted  traces  modulo  sampling 
equivalence.  This  equivalence  classes,  called  sample  equivalence  classes,  would  be  similar  to 
the  closmre  under  stuttering  of  [2].  This  is  generally  not  done,  as  reasoning  about  equivalence 
classes  of  traces  can  be  harder  than  reasoning  about  a  single  trace  at  a  time. 

Since  sample  equivalent  traces  correspond  to  the  same  behavior  of  the  system,  it  is 
desirable  that  temporal  logic  does  not  distinguish  among  them.  We  say  that  a  temporal 
logic  is  sample  invariant  \i  a  ^  a'  implies  I,a  \=  <(>  X,a'  ^  4>  [15].  The  logic  TLc  is 
sample  invariant,  TLd  is  not.  The  result  for  TLc  is  given  by  the  following  theorem,  that 
establishes  that  if  a  trace  is  a  refinement  of  another,  the  same  formulas  hold  at  corresponding 
moments. 

Theorem  2  (sample  invariance  of  TLc)  <^c  o,nd  j  €  pi,  then 
If  Ob'  w  Ob,  then  o-^  |=  ^  ob  h= 
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4.2  Trcinslations  between  Discrete  and  Continuous  Semantics 

To  set  up  a  correspondence  between  discrete  and  continuous  traces  that  represent  the  same 
behavior  of  the  system,  we  will  use  two  translation  functions:  from  discrete  traces  to  con¬ 
tinuous  ones,  and  vice  versa.  These  translations  are  uniquely  determined  between  sample 
equivalence  classes  of  traces,  but  we  have  some  freedom  to  choose  the  trace  that  corresponds 
to  a  given  one  within  a  sample  equivalence  class. 

The  translation  T  from  discrete  traces  to  closed  continuous  traces  associates  to  each 
{sn,tn)  a  closed  interval  stretching  from  to  tn+i- 

Definition  9  (T  :  <Jd  Cc)  We  define  the  translation  function  T  from  discrete  traces  to 
continuous  ones  as  the  function  associating  to  (soj^o),  {si,ti),  {s2,t2),  ...  the  closed 
trace  ac-'  {ro,Io),  {ri,Ii),  {r2,l2),  defined  by,  for  all  n  €  IN;  r„  =  =  t^, 

~  ^n+l- 

In  the  opposite  translation,  12,  the  idea  is  that  each  interval  of  the  continuous  trace  is 
represented  in  the  discrete  trace  by  two  observations,  one  for  each  endpoint.  We  define  the 
translation  so  that  also  nonclosed  traces  can  be  translated,  and  some  care  must  be  taken 
to  handle  the  case  of  open  and  half-open  intervals. 

Definition  10  (12  ;  Cc  i-->  cr^)  The  translation  function  12  associates  to  Oc:  (ro,/o)?  (HjA); 
{^2)^2)j  •••  the  discrete  trace  Cd,:  (soi^o)?  {s\iti),  {s2,t2),  ...  defined  in  the  following  way, 
for  all  n  €  IN. 

1.  S2n  —  52n-)-l  —fn- 

2.  (a)  If  In  is  closed,  t2n  =  It,  =  It  ■ 

(b)  If  In  is  left  open,  t2n  -  t2n-i-l  =  It- 

(c)  If  In  is  right  open,  t2n  =  t2n+i  =  It- 

(d)  If  In  is  open,  t2n  =  t2n+l  =  {It  +  It)/^- 

Figures  2  and  3  show  examples  of  traces  arid  their  translations.  The  following  lemma 
shows  that  the  translations  are  one  the  inverse  of  the  other,  modulo  sampling  equivalence, 
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J^(ac)  :  (a:=0,  t=0),  {x=0,  t=l),  (a;=l,  <=4),  (a:=l,  t=4),  (x=7,  t=5),  (x=7,  i=5),  (s=2,  t=6), . . 

V  ^  V  ■■  ■  V  V  -  _ - ^  V '  ^  ^  ^  ^  ^  V  . 


4 


Ob 


t  =  0 


3:  =  0 


lo 


I 

I 


t  =  1 


X  =  3 


I 

I 

-* 


i  =  4 


X  ■ 


X  =  2 


t-6 


Figure  3;  An  open  traice  Oc  and  its  discrete  translation  f^(ob).  Note  that  ob  is  not  the 
refinement  of  any  closed  trace. 


and  that  they  preserve  for  closed  traces  the  partial  order  of  refinement  of  traces.  It  also 
suggests  that  traces  related  by  the  translation  functions  represent  the  same  behavior  of  the 
system. 

Lemma  1 

1.  For  any  ad,  a^,  Oc,  o'^,  with  ob  closed,  we  have: 

cr'dhcTd^  T(ai)  ^  T(arf),  fi(T(o-d))  ^ 

<^c  b  Ob  ^  h  J^(ob),  'Y'(fi(ob))  t.  Oc- 

8.  For  any  S,  ad  and  closed  ac,  S>ad  iff  S>  ^{ad),  and  S>ac  iff  S>  f)((7b)- 
3.  If  S>  ac  and  a^  ^  Oc,  then  S  >  it(a') . 

4.3  Finite  Variability 

Consider  the  formula  r>3Va;  =  4.  In  every  finite  interval  of  a  continuous  trace,  the  truth 
value  of  its  subformulas  can  change  at  most  a  finite  number  of  times.  Thus,  given  a  trace 
Ob,  it  seems  possible  to  refine  it  into  a  (possibly  open)  trace  ac'.  (rQ,jQ},  {ri,I[),  {r'^,I'^, 

. . .  such  that  each  subformula  has  constant  truth  value  throughout  all  intervals  /j,  j  €  IN. 
This  is  the  idea  underlying  the  definition  of  finite  variability. 

The  set  of  subformulas  of  4>,  denoted  by  sb((^),  is  defined  by  induction  on  the  structure 
of  (f: 


sb(P  . .  .  Un)  =  {P  1ii  . . .  Un}  U  Uf33isb(«i) 
sb(ui  =  U2)  =  {«i  =  U2}  U  sb(ui)  U  sb(u2) 
sb(-^<^)  =  {->(!)}  U  sb((^) 
sb(<^  — »•  V*)  =  V’}  U  sb(<^)  U  sb(V’) 

sb(n(?i)  =  U  sb(^) 
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sb(^W^)  =  Usb(^)  Usb(V') 

sb(Vx0)  =  {\/x(f)}Usb{4>) 

and  similarly  for  the  other  propositional  connectives  and  temporal  operators.  The  set  of 
subformulas  of  a  term  is  defined  by: 

sb(c)  =  0  sb(^)  =  0 

sb(/  til ...  tin)  =  Uf=isb(tti)  sb(r(^))  =  sb(<?i), 

where  c  denotes  a  constant,  flexible  or  rigid.  Finite  variability  can  then  be  defined  as  follows. 

Definition  11  (finite  variability)  A  formula  4>  has  the  property  of  finite  variability,  or 
FV,  if  for  every  closed  Gc  and  every  X  there  exists  a  a^y  Gc  such  that 

^5  V’  O'c  V’ 

for  all  subformulas  ip  €  sb(<^).  The  trace  g^  with  the  above  property  can  be  open,  and  is 
called  a  ground  trace  for  (p,  Gc  and  X. 


Example  4  Many  common  formulas  used  in  the  specification  and  verification  of  systems 
are  FV.  On  the  other  hand,  an  example  of  a  formula  which  is  not  FV  is  the  following: 


cos 


T-4 


>0 


The  reason  why  the  above  formula  is  not  FV  is  that  it  is  not  possible  to  subdivide  IR"''  into 
a  finite  number  of  intervals  in  which  the  subformula  cos(l/(r  -  4))  >  0  has  constant  value. 

■ 


Example  5  Another,  more  subtle,  example  of  a  formula  which  is  not  FV  is  given  by  the 
formula  <p  of  Example  1.  The  reason  why  it  is  not  possible  to  refine  a  given  Gc  into  a  g^  such 
that  the  values  of  the  subformulais  are  constant  in  the  intervals  of  g^.  has  to  do  with  the  way 
quantification  interacts  with  time.  Specifically,  for  each  value  of  ^  and  C  it  is  possible  to 
find  a  (7c  such  that  the  subformulas  ^  =  T,  C  =  T  and  T  =  (^  +  0/2  have  constant  value  in 
the  intervals.  However,  it  is  not  possible  to  find  a  g^  that  has  this  property  for  all  possible 
values  of  (  and  0  I 

The  importance  of  the  concept  of  finite  variability  lies  in  the  fact  that  if  all  subformulas 
have  constant  truth  value  throughout  an  interval,  then  the  ground  continuous  trace  is 
faithfully  represented  by  its  discrete  translation.  The  necessity  of  considering  formulas  that 
have  constant  truth  value  in  the  intervals  had  already  been  recognized  in  [20],  where  the 
set  of  important  events  was  introduced  purposely  to  prevent  certain  formulas  from  changing 
truth  value  in  an  interval.  The  definition  of  finite  variability  provides  a  more  general 
solution:  it  gives  an  account  of  the  behavior  of  quantification,  and  it  allows  to  change  the 
temporal  logic  specifications  without  also  having  to  change  the  set  of  important  events. 

For  FV  formulas,  the  connection  between  TLc  and  TLd  is  expressed  by  the  following 
results. 
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Theorem  3  If  is  a  ground  trace  for  <l>,  Oc,  X,  with  Oc  closed,  then 

|=2n  (f>  -H-  I,ac  (p. 

This  theorem  enables  us  to  make  a  connection  between  the  formulas  that  are  valid,  or 
S-valid,  in  the  two  logics. 

Theorem  4  (transfer  of  validity)  If  S  \=  ^  and  (p  is  FV,  then  5  1=^  (p.  If  ^  <p  and  <p 
is  FV,  then  f=^  <p. 

Proof.  We  prove  only  the  first  statement,  as  the  proof  of  the  second  is  similar.  We  prove 
the  counterpositive:  assume  S  <p.  Then  there  are  X,  Oc  and  a  moment  {n,t)  of  Cc  such 
that  St-Oci  X,  (Tc  As  is  FV  and  Oc  is  closed,  there  is  a  trace  cr^  Oc  that  is  ground 

for  (p,  (7c,  X.  There  is  a  k  E  fXn  such  that  {k,  t)  is  a  moment  of  Og,  and  from  Theorem  2  we 
have  that  X,  crp.  ^(k,t)  4>-  As  is  ground  for  X,  <p,  by  Theorem  3  we  have  X,  Clidf)  ^2k  <P- 
Lemma  1  ensures  that  and  we  finally  get  S  ^  (p,  which  concludes  the  proof.  I 

Note  that  the  converse  of  this  theorem  does  not  hold,  i.e.  if  0  is  FV  and  S  ^  0,  it  does 
not  follow  that  5  |=  A  simple  example  is  provided  by  <^  :  0(T  =  5),  which  is  valid  in 
the  continuous  semantics,  but  is  not  necessarily  valid  on  a  discrete  trace  of  a  system  (see 
Example  2). 

4.4  From  Discrete  to  Continuous  Validity 

Finite  variability  is  a  semantic  property  of  a  formula:  to  be  able  to  use  the  result  of  the 
last  theorem  in  a  proof  system  for  TLc,  we  need  to  replace  it  by  some  syntactic  criterion. 

To  obtain  a  sufficient  syntactical  condition  for  FV,  we  first  define  well-behaved  functions 
that  are  analytical  along  the  real  axis  in  some  of  their  variables.  Here,  the  word  “analytical” 
is  used  in  the  calculus  sense. 

Definition  12  (well-behaved  function)  We  say  that  a  function  f{zoj . . . ,  ,  ^;jt) 

is  well-behaved  if  for  all  1  <  i  <  n,  and  for  all  real  Vm  ^  3  ^  ti,  1  <  m  <  k), 
f  when  considered  as  a  function  of  Zi  only  is  analytical  in  a  region  of  tKe  complex  plane 
containing  the  real  axis. 

Example  6  Examples  of  well-behaved  functions  are 

f{ZQ,Zi,Vo)  =  Zo  +  Z],+Vo, 

f{zo,vo)  =  Kl  +  -^0, 

/(zo)  =  l/(2  +  2r^), 

/(•^o, -21,  Uo, =  sin(wozo)  cos(viZi). 

The  function  /(zo)  =  Zq  sin(l/zo),  on  the  other  hand,  is  not  well-behaved,  as  when  consid¬ 
ered  as  a  function  of  zq  it  is  not  analytical  in  zq  =  0.  I 

Definition  13  (syntactic  finite  variability  (SFV))  We  call  SFV  the  formulas  that  are 
constructed  in  the  following  inductive  way. 
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1.  If  u\,  . . . ,  Un  are  terms  not  containing  T  or  F,  then  Pui . .  is  SFV. 

2.  If  f  {zq,  . . .  ,Zn,vi, . . . , Vk)  is  a  well-behaved  function,  then 

/(t,  r(0i), . . .  ,r(^n),  Cl, ,  CkJ  =  0, 

f(^>^(<^l)i---,r(<^n),Ci,...,Ck^  >  0, 

where  ci,  Ck  are  either  constants  different  from  T  or  variables,  and  4>i,  ...4>n  do 
not  contain  T  or  F,  is  a  SFV  formula.  We  call  this  type  of  SFV  formulas  T-atoms. 

3.  A  formula  constructed  from  SFV  formulas  using  propositional  connectives  or  temporal 
operators  is  a  SFV  formula. 

4-  If  4>  is  a  SFV  formula,  and  (  does  not  occur  in  any  T-atom  of  <{>,  then  4>  is  o,  SFV 
formula. 

Within  an  interval  of  a  continuous  trace  Cc,  the  ci,  . . . ,  cjt  of  the  above  definition  have 
constant  value.  The  requirement  that  f(zo,  ■  ■■  ,Zn,Vi,. . .  ,Vk)  is  well-behaved  insures  that 
within  each  interval  of  ob  the  inequalities  change  truth  value  at  most  finitely  often.  This  is 
a  consequence  of  a  well-known  theorem  of  calculus  stating  that  a  function  can  have  at  most 
a  finite  number  of  zeroes  in  a  finite  region  of  the  complex  plane  where  it  is  analytical. 

We  will  say  that  a  formula  is  SFV  even  if  it  is  not  in  a  form  described  by  the  above 
definition,  but  can  be  easily  transformed  and  put  in  such  a  form.  As  an  example,  T  >x-{-y 
is  not  in  the  form  defined  above,  but  it  can  be  transformed  into  T  —  x  —  y  >  0,  and 
will  thus  also  be  called  SFV.  In  a  similar  way,  T  >  F(a:  =  2)  -|-  4  can  be  transformed  in 
~  ^’(a:  =  2)  —  4  =  0]  V  [T  —  F(x  =  2)  —  4  >  0]  which  is  of  the  above  form.  It  is  possible 
to  give  a  more  general  definition  of  SFV  that  encompasses  directly  all  these  cases,  but  it 
would  be  far  less  concise. 

Example  7  The  formula  (f)  of  Example  4  is  not  SFV,  as  the  function  cos(l/(x  -  4))  is 
not  analytical  in  x  =  4,  a  point  of  the  real  axis.  The  formula  of  Example  1  is  not  SFV  as 
it  quantifies  over  ^  and  C  that  appear  in  the  T-atoms  T  =  ^,  T  =  C  and  T  =  (^  +  C)/2.  I 

We  have  that  SFV  implies  FV,  as  the  theorem  below  states. 

Theorem  5  (SFV  implies  FV)  If  cf)  is  SVF,  it  is  also  FV. 

Corollary  1  If  (j)  is  SFV,  S  ^  (f)  implies  S'  ^  Similarly  for  initial  validity.  Therefore 
the  inference  rules 

Sho0 

with  the  proviso  that  (f>  is  SFV,  are  sound. 
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Using  syntactic  finite  variability,  we  can  also  establish  a  connection  with  propositional 
temporal  logic.  Let  PTL  be  the  propositional  temporal  logic  of  discrete  linear  time,  on 
the  frame  (IN,  <),  with  temporal  operators  ZY,  «S  ,  B,  O,  and  based  on  the  floating 
semantics.  This  logic  is  the  same  as  the  one  presented  in  [17],  apart  for  the  absence  of  O, 
©.  The  following  results  hold. 

Theorem  6  (from  PTL  to  TLc)  If  \=  Oi\pi, . .  .pn\,  where  pi,  ...  ,Pn  are  propositional 
letters,  then  [=  a[^i, . . . , (^nj  provided  (j)i,  ...,  4>n  are  FV.  Similarly  for  initial  validity. 
Therefore,  the  following  inference  rules 

l-’’^"a[pi,...Pn]  C«[pi,...Pn] 

I-  q;[^i,...,<^„]  f-(OQ)  a[^i, . 

with  the  proviso  that  (f)i,  ... ,  (f>n  are  SFV,  are  sound. 

It  is  well  known  that  a  similar  result  holds  for  TLd,  for  which  FV  is  not  required  [19]. 
This  result  is  of  relevant  practical  importance,  because  deductive  systems  for  PTL  are 
well-studied  [17],  and  efficient  decision  algorithms  for  the  problem  of  initial  validity  exist 
[11]. 


4.5  Reasoning  in  the  Continuous  Semantics 

Sometimes  it  is  necessary  to  carry  out  a  small  part  of  the  reasoning  in  the  continuous  seman¬ 
tics,  to  put  together  the  results  of  the  verification  rules  and  reach  the  desired  conclusion. 
In  practical  verification  examples,  most  of  this  reasoning  is  limited  to  using  simple  axioms 
about  the  completeness  and  divergence  of  time  along  any  continuous  trace.  It  is  possible 
to  give  an  axiomatization  for  TLc-  As  temporal  logic  with  past,  future  and  explicit  time  is 
incomplete  [4,  1,  2],  this  axiomatization  will  also  be  incomplete  for  the  first-order  case,  but 
nonetheless  it  will  allow  the  proof  of  many  formulas  that  arise  in  practice.  The  axioms  can 
be  divided  in  three  categories:  propositional,  first-order  and  about  time. 

Propositional  axioms.  The  frame  (TV,  <)  of  a  model  Mac  derived  from  a  trace  CTc  is 
neither  discrete,  nor  dense,  nor  complete.  In  fact,  in  each  interval  the  set  of  moments 
is  complete,  but  there  is  no  moment  between  the  two  endpoints  of  two  adjacent  closed 
intervals.  We  will  therefore  use  an  axiomatization  for  the  general  frame  (W,  <)  with  the 
only  hypothesis  that  it  is  a  reflexive  linear  order  with  initial  world. 

Unfortunately,  there  is  no  complete  set  of  axioms  available  in  the  literature  for  temporal 
logic  with  U ,  S  and  the  other  temporal  operators  over  the  frame  (W,<}.  A  complete 
axiomatization  for  U  and  S  over  the  frame  (W,  <)  has  been  presented  in  [3],  and  it  is 
possible  to  adapt  those  axioms  schemas  to  a  reflexive  frame,  but  no  claim  of  completeness 
is  made  at  this  point.  The  adapted  axioms  schemas  are  listed  in  Table  1.  Of  all  these  axioms, 
except  the  one  marked  with  (J),  also  the  specular  image  should  be  taken  as  an  axiom  [21]. 
The  specular  image  of  a  temporal  formula  is  the  formula  obtained  by  substituting  the  future 
operators  with  the  corresponding  past  operators,  and  vice  versa.  For  example,  the  specular 
image  of  □^(T  =  5)  is  BO(T  =  5). 
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All  propositional  logic  tautologies. 
□(<^  — >  ■0)  — >■  (D^  — t 

4>  □'^0 

U4>  DD^ 

Q<^  A  0^  —4  Q0<^ 

(j) 

V  B-i?!))  (t) 


<f>Uip  O’lp 

0(^  — t  ^  — >•  i/  'y) 

0{^  4))  {jU  (f>)  {'jU  i/}) 
(jiUil)  ^  {(t>Uip)Ui} 

(pUip  «■  <t>U{(t>Uil}) 

(pUxjj  A  ->{'Y U ’ip)  (f>U  {(f>  A 
(f>U%p  -t  </>  Vt/) 

^  (V*  V  ->^)  Z/  <f> 


(pUtl^  A^U5  {(pA'^)U  A  V  ^SA  ($i>i/V'))] 

(f>  A{'ij}U'))  -¥  7  A  (V’  V  7)  5  (/ij 


Table  1;  Propositional  axiom  schemas  for  TLc- 

TT  =  TT 

Ptti  . . .  7r„  aPTri . . .  7r„  (ff) 

TTi  =  ■7r2  -)■  (/)(7ri)  (1){t12) 

-iPtti  . . .  7r„  ->  n-iPTri . . .  7r„  (ff) 

TTi  =  7r2  □(tti  =  TT2)  (ft) 

'ix  U<p  -4  n'ix  (j) 

-.(tti  =  •7r2)  □-■(tti  =  1^2)  (tt) 

Table  2:  First-order  axiom  schemas  for  TLc-  The  axioms  denoted  by  (ft)  have  the  proviso 
that  TTi,  7r2,  . . . ,  7r„  are  terms  not  containing  any  flexible  constant. 


Another  way  of  proceeding  consists  in  defining  the  reflexive  operators  in  terms  of  the 
irreflexive  ones,  that  is,  recursively  rewrite  each pU qm.pA{pU q),  and  similarly  for  S  (the 
other  operators  can  be  defined  from  these  two),  and  then  use  the  original  axiomatization 
proposed  in  [3]  on  the  translation.  Some  additional  axiom  is  still  necessary  to  account  for 
the  presence  of  an  initial  world. 

First-order  axioms.  The  set  of  first-order  axioms  we  will  use  is  entirely  classical.  They 
account  for  rigid  and  flexible  constants  and  equality,  and  they  include  the  Barcan  Formula, 
as  the  domains  of  quantification  are  rigid.  A  list  of  axiom  schemas  is  given  in  Table  2.  In 
the  ta.ble,  if  <^(7ri)  is  a  formula  containing  the  term  tti,  denotes  a  formula  obtained 
fi-om  4>{t:i)  by  replacing  some  occurrences  of  tti  with  7r2,  provided  no  free  variable  of  7r2  is 
captured  in  the  process. 

Moreover,  we  the  additional  axiom  S  Qf  states  that  all  traces  of  a  system  start  in 
an  initial  state. 
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h%^o)T  =  0  T  =  ^-^d(T>0 

T  >  0  ^>T-^  0{T  =  0 

^<t>  -f  r(<^)  =  0  0  <  r(<^)  <  T 

r(0)  =  eAC>e-^o(<^^r(<^)  =  C) 

T  =  i  +  (: h4>s  {t  =  i hv{(i))  ==  v)  ->r((^)  =  u  +  c 

r  =  e  A  b-[<^zy (T  =  o] r((^)  =  0 

Table  3:  Time  axiom  schemas  for  TLc- 
4>-^  Ip,  4>  *~(o,o)  l~ (0,0)  0  P  <P 

Ip  ^  1“  Dp  1“ 

\-''p-^ip  ...  f  <i> 

p-^'^^-ip  l-'^(0.0)  'r  up  l-'jo  0)  p 

b  ®[pi)  •  • -Pn] /•{.■^  bg  Q![pi)--'Pn]  b  p 

'■c~ - 77(8)  ;c  —  77(8)  .C  18  j  c  181 

b  a[pi,...,pn\  b(0_0)  a[0i,...,0„J  I-  P  b(o_o)  0 

Table  4:  Inference  rules.  The  rules  denoted  by  (f)  have  the  proviso  that  ^  must  not  occur 
free  in  p.  The  rules  denoted  by  (§)  have  the  proviso  that  p,  pi,  . . . ,  pn  are  SFV.  In  all  of 
them,  if  the  premiss(es)  is  (are)  S'-valid,  the  conclusion  is  iS-valid. 

Time  axioms.  A  final  set  of  axioms,  listed  in  Table  3,  are  used  to  reason  about  time.  As 
usual,  we  list  an  axiom  p  to  mean  b  p:  in  the  case  where  we  claim  only  the  initial  validity 
of  the  axiom,  as  in  the  case  of  the  first  one,  we  write  it  explicitly. 

Inference  rules.  The  inference  rules  we  propose  are  listed  in  Table  4.  Note  that  these 
rules  are  based  on  the  floating  semantics.  On  the  other  hand,  the  verification  rules  that 
have  been  proposed  in  [6,  20]  are  based  on  the  anchored  semantics.  To  transfer  the  results 
firom  the  anchored  to  the  floating  semantics,  it  suffices  to  use  the  rules: 

b°^  op  S  b^‘  op 
’  S[^p' 

where  b^^  is  the  provability  relation  in  the  anchored  version  of  TLd- 
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5  An  Example  of  Verification 

We  will  now  present  a  simple  example  of  how  the  verification  methods  for  TLp  can  be  used 
together  with  the  time  axioms  and  temporal  reasoning  to  prove  simple  properties  of  systems 
expressed  in  TLc-  We  will  choose  a  property  that  does  not  hold  in  TLp,  to  demonstrate 
the  use  of  the  time  axioms  for  TLc- 

We  will  not  enter  in  the  details  of  how  the  verification  rules  for  TLd  are  used  to  prove 
properties  of  a  system,  as  this  topic  is  dealt  with  in  detail  in  [18,  9,  20]. 

Imprecise  Oscillator 

Consider  a  system  OSC,  consisting  of  an  oscillator  whose  state  is  represented  by  the  variable 
X.  The  oscillator  can  be  in  any  of  two  states,  x  =  0  and  x  =  1,  and  it  can  stay  in  each  of 
them  for  3  to  5  seconds  before  switching  to  the  other  one.  The  oscillator  start  in  the  state 
X  =  0.  The  system  can  be  described  by: 


0;: 

X  =  0 

pro  * 

X  = 

0  A  x'  =  1 

T: 

{To,n} 

PTI  • 

X  = 

o 

II 

< 

f-H 

• 

3 

^To  5  • 

5 

We  want  to  verify  that  OSC  satifies  the  following  property: 

“The  oscillator  is  in  the  state  x  =  1  some  time  between  6  and  7  seconds  after  it 
is  started.” 

This  specification  can  be  written  as 


OSC  M(0,0)  0(x  =  1  A  6  <  T  <  7).  (1) 

It  is  not  difficult  to  see  that  the  corresponding  specification  in  TLd,  OSC  |=o  0(x  =  1 A  6  < 
T  <  7),  does  not  hold.  To  prove  (1),  define  the  abbreviations 

Ip:  x  =  OAr(x  =  o)  =  rAr<3,  .  (2) 

r<8-4  [x  =  1  Ar(x  =  1)  <T-3].  (3) 

The  following  implications  hold: 

(r  =  6.5^x  =  l),  (t  =  6.5-)-x  =  l).  (4) 

The  proof  of  the  specification  (1)  proceeds  as  follows. 

D 

OSC  ^o'lpyv  <!>  from  wait-for  verification  rule  for  TLd  (5) 

D 

OSC  f-  (p—i-D<p  from  invariance  verification  fule  for  TLd  (6) 

OSC  \-Q'ip\V  0(p  ,  firom  (5),  (6)  by  temporal  reasoning  in  TLd  (7) 


OSC  h  □(T  —  6.5  — )■  X  =  1)  from  (4),  (5),  (6)  by  temporal  reasoning  in  TLd (8) 
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osc  Qj  □(T  =  6.5  ^  X  =  1) 

from  (8),  as  it  is  SFV 

(9) 

OSC  h(o^o)  ^(T  =  6-5) 

from  the  time  axioms  of  TLc 

(10) 

osc  0(r  =  6.5  A  X  =  1) 

from  (9),  (10),  temporal  reasoning  in  TLc 

(11) 

osc  H-^o.o)  =  1A6<T<7) 

from  (11) 

(12) 

It  is  also  possible  to  eliminate  from  this  proof  all  temporal  reasoning  in  TLc,  apart  from 
the  application  of  the  time  axioms.  This  is  done  by  introducing  antecedents  of  implications 
in  TLd  that  will  be  discarded  by  time  axioms  of  TLc-  This  transformation  shows  how 
reasoning  in  TLc  can  be  kept  to  a  minimum.  The  final  steps  of  the  previous  proof  can  be 
modified  as  follows. 


OSC  Ho  0{T  =  6.5)  -f  0{T  =  6.5  A  X  =  1) 

from  (8)  by  temp.  reas. 

in  TLd(13) 

OSC  (-0  0{T  =  6.5)  0(x  =  1  A  6  <  T  <  7) 

from  (13) 

(14) 

osc  h-^o.O)  =  lA6<r<7) 

from  (14),  as  it  is  SFV 

(15) 

0(r  =  6.5) 

from  the  time  axioms  of  TLc  (16) 

osc  h-^o.o)  =  1A6<T<7) 

from  (15),  (16) 

(17) 

6  Hybrid  Systems 

The  results  obtained  for  real-time  systems  can  be  transferred  to  hybrid  systems,  provided 
that  a  proper  relationship  can  be  set  up  between  the  discrete  and  continuous  semantics.  In 
particular,  we  need  to  give  a  new  definition  of  SFV  for  hybrid  systems,  to  account  for  the 
fact  that  the  state  can  change  continuously  in  time,  and  we  need  to  show  how  to  define  the 
traces  and  the  translations  in  such  a  way  that  we  can  prove  the  analogous  of  Theorem  4. 

6.1  Phase  Transition  Systems 

We  will  model  hybrid  systems  by  phase  transition  systems  similar  those  of  [18,  20].  A  phase 
transition  system  (PTS)  S  =  (V,  S,  V,  T,  L,  U,  ©)  consists  of  the  following  components. 

1.  A  set  V  of  variables,  called  state  variables,  each  with  its  type.  V  is  partitioned  into 
two  disjoint  subsets:  Vd  and  Vc-  The  variables  in  Vd  are  called  discrete  variables, 
they  can  be  of  any  type  and  they  can  change  only  in  an  instantaneous  way.  The 
variables  in  I4  are  called  continuous  variables,  have  type  real,  and  can  change  both  in 
an  instantaneous  and  in  a  continuous  way. 

2.  A  set  S  of  states:  each  state  is  a  type  consistent  interpretation  of  the  variables.  Again, 
we  write  s(a:)  to  denote  the  interpretation  of  a:  €  V  at  state  s.  We  write  s|vd,  s|vc 
to  denote  the  restrictions  of  the  interpretation  s  to  discrete  and  continuous  variables 
only,  respectively. 

3.  A  set  0  C  S  of  initial  states. 
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4.  A  set  V  of  phases.  V  is  partitioned  into  disjoint  subsets,  one  for  each  variable  in  Vc- 
The  subset  corresponding  to  a:  G  H  will  be  denoted  hy  Vx- 

5.  A  set  T  of  transitions,  where  t  C  S  x  S  for  each  r  G  E.  T  is  partitioned  into  two 
disjoint  subsets  H  and  %.  The  set  11  is  the  set  of  immediate  transitions,  that  must  be 
executed  no  later  than  the  time  at  which  they  become  enabled.  The  set  1^  is  the  set 
of  delayed  transitions,  whose  enabling  does  not  depend  on  the  continuous  variables. 

6.  Two  sets  L,  U  of  minimum  and  maximum  delays  for  the  transitions  in  %. 

Phases.  For  each  s  G  Hi  every  phase  p  G  Pa;  is  composed  of  an  enabling  condition  Cp  C  E 
.and  of  a  phase  function  /p  ;  E  IR.  The  phase  p  is  used  to  represent  a  differential  equation 
governing  x:  the  intended  meaning  is  that  if  Cp  holds,  then  it  must  be  x  =  /p(s)  in  each 
state  s  where  the  state  changes  continuously.  The  enabling  condition  Cp  can  depend  on  the 
discrete  variables  only:  formally,  for  all  s,s'  G  E,  s|vj  =  s'lvj  ->■  (s  6  Cp  •<4  s'  G  Cp). 

We  say  that  a  phase  p  is  linear  if  the  function  /p  is  a  linear  function  of  the  continuous 
variables.  It  is  not  required  that  /p  is  linear  in  the  discrete  variables  as  well. 

Transitions.  We  define  the  enabling  condition  c,-  of  a  transition  t  gT  as  the  set  of  states 
that  have  a  successor  according  to  the  transition,  or  cv  =  {s  |  3s'[(s,s')  G  r]}.  Transitions 
must  be  self-disabling,  that  is,  (s,  s')  G  r  — >  s'  ^  Ct-. 

If  an  immediate  transition  becomes  enabled  at  time  t,  it  has  to  be  taken  or  disabled  by 
some  other  transition  before  time  advances  past  t.  There  is  no  restriction  on  the  enabling 
condition  of  immediate  transitions;  it  can  depend  on  both  the  continuous  and  the  discrete 
part  of  the  state. 

Each  delayed  transition  r  £12  has  an  associated  minimum  delay  Ir  E  L  and  maximum 
delay  Ut  E  U,  with  0  <lr  <Ut  <  oo.  After  r  is  enabled,  it  can  want  for  a  time  It  <td< 
Ur  before  being  taJcen.  The  enabling  condition  of  delayed  transitions  can  depend  only  on 
the  discrete  component  of  the  state:  for  all  s,  s'  G  S,  it  is  slv^  =  s'lv^  ->■  (s  €  Cp  s'  G  Cp). 

6.2  Continuous  Semaintics 

The  continuous  semantics  of  hybrid  systems  is  defined  in  terms  of  hybrid  traces.  They 
differ  firom  the  continuoTos  traces  used  for  real-time  systems,  as  the  value  of  the  continuous 
variables  can  vary  in  the  intervals  composing  the  trace.  The  definition  is  as  follows. 

Definition  14  (hybrid  trace)  A  hybrid  trace  Oh  is  a  sequence  of  pairs  ct/j.-  (go,Io}, 
{91^ h),  {921  h),  with  In  €  IntjR,  Qn  '■  In  ^  2,  for  all  n  G  IN.  The  intervals  can 
overlap  at  most  at  the  endpoints,  and  they  cover  all  IR"'’:  for  all  n, 

sup  4  =  inf  J„+i, 

U  4  =  1R+. 

neJN 

Each  function  Qn  assigns  a  state  gnit)  G  S  fo  each  time  tE  In-  The  discrete  variables  cannot 
change  their  value  in  an  interval:  for  allnElR.  and  all  ti,t2  E  In,  Pn(ti)|v<£  =  5n(i2)|\i- 
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The  value  of  variable  x  at  time  t  of  interval  In  is  thus  Again,  we  define 

admission  only  for  closed  traces,  for  simplicity. 

Definition  15  (admission,  hybrid  traces)  A  PTS S  admits  a  trace  a^:  {9o^Io)j  {9i:h)j 
{92,12)}  •  — ;  written  5  >0/1,  if  is  closed  and  the  following  conditions  are  satisfied: 

1.  The  phases  are  respected:  for  each  a:  €  Vc  and  n  eJN,  if  ,  there  is  a  p  E  Vx 

such  that,  for  all  t  £  In: 


9n{f)  ^  Cpj 


fp9n{i) 


dgn{u){x) 


du 


u^t 


where  it  is  assumed  that  for  Iff  <  t  <  Iff  the  derivative  dgniu){x) / du\u-t  exists,  and 
for  t  =  t  =  the  left-hand  and  right-hand  derivatives,  respectively,  exist. 

2.  No  immediate  transition  is  skipped:  for  all  n  and  r  6  X?  ^t  <  —^9n{t)  ^  Cr- 

3.  All  discrete  state  changes  are  due  to  a  transition:  for  alln,  either  gn{I^)  =  gn+i{I^) 
or  (5n(-^^),p7i+i(-^^))  6  T  for  some  r  e  T-  If  such  a  r  is  a  delayed  transition,  we 
also  require  that  it  has  been  enabled  for  at  least  1^:  for  all  k  G  IN, 


k<nAlj;  >  l;:  -Ir^  9kil^)  e  cv. 


4-  Delayed  transitions  never  wait  for  longer  than  their  maximum  delay:  for  all  t  G  % 
and  ni,n2  €  IN  with  n2  >  ni, 

7;;^  -  V  3n3  [ni  <  ns  <  712  A  ^  Cr] . 

6.3  Discrete  Semantics 

The  discrete  semantics  of  hybrid  systems  is  defined  in  terms  of  discrete  traces,  exactly  as 
it  was  done  for  real-time  systems  in  Definition  1.  However,  we  do  not  define  admission 
of  discrete  traces  directly:  we  will  define  it  through  hybrid  traces,  using  the  translation 
functions. 


6.4  Temporal  Logic 

Temporal  logic  is  then  defined  for  discrete  and  hybrid  traces  in  the  same  way  it  was  defined 
for  discrete  and  continuous  traces,  respectively,  for  real-time  systems.  The  logic  correspond¬ 
ing  to  discrete  traces  is  TLd,  as  before.  The  logic  corresponding  to  hybrid  traces  will  be 
called  TLh,  its  satisfaction  relation  will  be  denoted  with  |=  and  its  provability  relation 
with  h”.  We  use  a  different  name  for  TLh,  as  we  do  not  wish  to  imply  that  TLc  and  TLh 
axe  the  same.  A  deductive  system  for  TLh  will  be  discussed  later. 


21 


7  From  Discrete  to  Continuous  Reasoning 

Refinement  of  discrete  traces  was  defined  in  Definition  7.  Refinement  of  hybrid  traces  is 
defined  as  follows. 

Definition  16  (refinement,  hybrid  traces)  A  hybrid  trace  ah:  {gQ,Io),  {9i,h)>  (92-, h), 
...  is  a  refinement  of  a^^:  {9q,Iq),  {921^2) >  partitioning  function  p, 

denoted  al^  Ch,  if  li  =  for  every  i,j  G  IN  such  that  j  G  Pi,  it  is  Vt  € 

=5iW]- 

Sampling  equivalence  is  then  defined  as  before.  The  definition  of  the  translation  func¬ 
tions  has  to  be  modified,  and  we  denote  the  new  versions  with  In  particular,  a 

discrete  trace  no  more  encodes  all  the  information  required  to  reconstruct  a  hybrid  trace: 
it  contains  the  information  about  the  state  at  the  beginning  and  at  the  end  of  each  closed 
interval,  but  it  does  not  represent  the  evolution  of  the  state  in  the  interior  of  the  inter¬ 
val-  Therefore,  to  a  single  discrete  trace  correspond  many  hybrid  ones  that  agree  with  the 
discrete  one  at  the  endpoints  of  the  intervals. 

Definition  17  ofe)  The  translation  function  associates  to  a^:  (so)^o)> 

(52,^2)?  •••  a,  set  of  closed  hybrid  traces  such  that,  for  every  Oh:  {ga,!^), 

{guh),  {92, 12),  •••€  T^'‘’(crd),  and  for  every  n,  it  is  Iff  =  tn,  In  =  in+i,  9n{It)  =  «n, 
9nilrif )  ~  ^n+1- 

Definition  18  n-t  Od)  The  translation  function  associates  to  ah:  (sojlo)? 

{gith),  {92',  h))  the  discrete  trace  a^:  (so,to)>  {S2,t2),  defined  in  the  follow¬ 

ing  way,  for  alln  gTN. 

1.  (a)  If  In  is  closed,  t2n  =  It  >  Wi  =  It  ■ 

(b)  If  In  is  left  open,  f2n  =  <2n+l  =  It- 

(c)  If  In  is  right  open,  t2n  =  t2n+i  =  It - 

(d)  If  In  is  open,  t2n  =  Wi  =  (It  +  It)/^- 

2.  S2n  —  9n(It)>  ^2n-t-l  —  9n{It)- 

A  PTS  S  admits  a  discrete  trace  if  the  discrete  trace  describes  a  hybrid  trace  admitted 
by  S.  This  is  the  implicit  meaning  of  the  definition  given  in  [20]. 

Definition  19  (admission,  discrete  traces)  A  PTS  S  admits  a  discrete  trace  ad,  writ¬ 
ten  S  >  ad,  if  there  is  a  ah  €  (a^)  such  that  S>ah. 

In  defining  finite  variability  for  hybrid  systems,  it  is  essential  to  define  it  with  respect 
to  a  given  PTS,  to  constrain  somehow  the  behavior  of  the  continuous  variables. 

Definition  20  (HFV)  A  formula  <f)  is  hybrid  finite  variability,  or  HFV,  with  respect  to 
a  PTS  S  if  for  every  ah  admitted  by  S  and  every  1,  there  exists  a  aj^  h  <^h  such  that: 
cTc  l=(i,t)  V’  for  all  -if  G  sh{4>). 
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With  these  definitions,  we  can  prove  the  corresponding  of  Theorem  4. 

Theorem  7  (trcinsfer  of  validity,  hybrid  caise)  //  S'  |=°  <t>  and  (f)  is  HFV  with  respect 
to  S,  then  5  |=  (j).  If  \=  (j)  and  ^  is  HFV  with  respect  to  S,  then  S  \=  (j). 

Again,  we  present  a  sufficient  condition  for  a  formula  to  be  HSFV  with  respect  to  a  PTS  S. 

Definition  21  (simple  age  function)  We  say  that  an  age  function  r(^)  is  simple  with 
respect  to  a  system  S  if  its  argument  (j>  does  not  contain  occurrences  of  continuous  state 
variables  of  S. 

Definition  22  (syntactic  finite  variability,  hybrid  (HSFV))  A  formula  is  HSFV 
with  respect  to  a  PTS  S  if  the  phases  of  S  are  linear,  and  if  the  formula  is  constructed 
in  the  following  inductive  way. 

1.  If  ui,  . . . ,  Uji  are  terms  not  containing  T,  F,  or  continuous  variables,  then  Pu\  ...Un 
is  HSFV. 

2.  If  f{zQ, . . .  ,Zn,v\, . . .  ,Vk)  is  a  well-behaved  function,  then  f{bo, . . .  ,6„,  ci, . . . ,  Ck)  =  0, 
f{bo, ...  ,bn,Ci,...,Ck)  >0  are  HSFV  formulas,  provided  bo,  ... ,  bk  are  constants  of 
the  logic  or  simple  age  functions,  and  ci,  .. . ,  Ck  are  variables  of  the  logic,  or  constants 
different  from  T  and  from  continuous  state  variables.  We  call  this  type  of  HSFV 
formulas  T -atoms. 

3.  A  formula  constructed  from  HSFV  formulas  using  propositional  connectives  or  tem¬ 
poral  operators  is  a  HSFV  formula. 

4.  If  <p  is  a  HSFV  formula,  and  ^  does  not  occur  in  any  T-atom  of  4>,  then  4>  is  a 
HSFV  formula. 

Theorem  8  (HSFV  implies  HFV)  If  <j)  is  HSFV  with  respect  to  a  PTS  S,  it  is  also 
HFV  with  respect  to  it.  Therefore,  the  inference  rules 

S  4>  S  \-Q  (j) 

with  the  proviso  that  (j)  is  HSFV  with  respect  to  S,  are  sound. 

The  restriction  requiring  the  linearity  of  the  phases  is  important,  and  cannot  be  lifted 
without  being  substituted  by  some  other  kind  of  condition  insuring  that  the  solutions  of 
the  differential  equations  are  well-behaved  in  the  sense  of  Definition  12. 

A  deductive  system  for  TLh.  Since  the  definition  of  syntactic  finite  variability  is  now 
relative  to  a  PTS,  we  need  to  modify  slightly  the  deductive  system  proposed  for  TLc-  We 
take  the  same  set  of  axioms,  and  all  the  inference  rules  listed  in  Table  4  apart  from  the  last 
four,  denoted  by  (§).  Those  foiu:  are  replaced  by  the  following  rules: 

a\pi,...pn]  •••Pn]  S\^  4>  S\^q4> 

S  |-“  a[(^i  ,...,(f)n]  S  l-“o,o)  “[^1  S\^  4>  S  l-”o,o)  ^ 

with  the  proviso  that  (j),  (j>\,  . . . ,  (f>n  are  HSFV  with  respect  to  S. 
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